-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:33                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:		kerberosIV distribution contains multiple vulnerabilities
                under FreeBSD 3.x

Category:	core
Module:		kerberosIV
Announced:	2000-07-12
Credits:	Assar Westerlund <assar@FreeBSD.org>
Affects:	FreeBSD 3.x systems prior to the correction date
Corrected:	2000-07-06
FreeBSD only:	NO

I.   Background

KTH Kerberos is an implementation of the Kerberos 4 protocol which
is distributed as an optional component of the base system.

II.  Problem Description

Vulnerabilities in the MIT Kerberos 5 port were the subject of an
earlier FreeBSD Security Advisory (SA-00:20). At the time it was
believed that the implementation of Kerberos distributed with FreeBSD
was not vulnerable to these problems, but it was later discovered that
FreeBSD 3.x contained an older version of KTH Kerberos 4 which is in
fact vulnerable to at least some of these vulnerabilities. FreeBSD
4.0-RELEASE and later are unaffected by this problem, although FreeBSD
3.5-RELEASE is vulnerable.

The exact extent of the vulnerabilities are not known, but are likely
to include local root vulnerabilities on both Kerberos clients and
servers, and remote root vulnerabilities on Kerberos servers. For the
client vulnerabilities, it is not necessary that Kerberos client
functionality be actually configured, merely that the binaries be
present on the system.

III. Impact

Local or remote users can obtain root access on the system running
Kerberos, whether as client or server.

If you have not chosen to install the KerberosIV distribution on your
FreeBSD 3.x system, then your system is not vulnerable to this
problem.

IV.  Workaround

Due to the nature of the vulnerability there are several programs and
network services which are affected. The following libraries and
utilities are installed by the KerberosIV distribution and must be
removed or replaced with non-Kerberos versions to disable all
Kerberos-related code.

bin/rcp (*)
sbin/dump (*)
sbin/restore (*)
usr/bin/kadmin
usr/bin/kauth
usr/bin/kdestroy
usr/bin/kinit
usr/bin/klist
usr/bin/ksrvtgt
usr/bin/telnet (*)
usr/bin/cvs (*)
usr/bin/passwd (*)
usr/bin/rlogin (*)
usr/bin/rsh (*)
usr/bin/su (*)
usr/lib/libacl.a
usr/lib/libacl_p.a
usr/lib/libacl.so.3
usr/lib/libacl.so
usr/lib/libkadm.a
usr/lib/libkadm_p.a
usr/lib/libkadm.so.3
usr/lib/libkadm.so
usr/lib/libkafs.a
usr/lib/libkafs_p.a
usr/lib/libkafs.so.3
usr/lib/libkafs.so
usr/lib/libkdb.a
usr/lib/libkdb_p.a
usr/lib/libkdb.so.3
usr/lib/libkdb.so
usr/lib/libkrb.a
usr/lib/libkrb_p.a
usr/lib/libkrb.so.3
usr/lib/libkrb.so
usr/lib/libtelnet.a
usr/lib/libtelnet_p.a
usr/libexec/kauthd
usr/libexec/kipd
usr/libexec/kpropd
usr/libexec/telnetd (*)
usr/libexec/rlogind (*)
usr/libexec/rshd (*)
usr/sbin/ext_srvtab
usr/sbin/kadmind
usr/sbin/kdb_destroy
usr/sbin/kdb_edit
usr/sbin/kdb_init
usr/sbin/kdb_util
usr/sbin/kerberos
usr/sbin/kip
usr/sbin/kprop
usr/sbin/ksrvutil
usr/sbin/kstash

The files marked with a "(*)" are part of the base FreeBSD system when
the Kerberos distribution is not installed, and are replaced when
Kerberos is installed. Therefore you will need to replace them with
non-Kerberos versions from another system, or perform a recompilation
or reinstallation of FreeBSD after removal, if you wish to continue to
use them.

If you have chosen to install any ports with Kerberos support, such as
the security/ssh port, then you should also remove, or recompile these
with support disabled.

As an interim measure, access control measures (either a perimeter
firewall, or a local firewall on the affected machine - see the
ipfw(8) manpage for more information) can be used to prevent remote
systems from connecting to Kerberos services on a vulnerable Kerberos
server.

V.   Solution

Upgrade your vulnerable FreeBSD 3.x system to a version of FreeBSD
dated after the correction date (FreeBSD 3.5-STABLE dated after the
correction date, 4.0-RELEASE or 4.0-STABLE). See
http://www.freebsd.org/handbook/makeworld.html for more information
about upgrading FreeBSD from source.

Be sure to install the Kerberos code when performing an upgrade
(whether by source or by a binary upgrade) to ensure that the old
binaries are no longer present on the system.

See the note in section IV. above about recompiling ports which were
compiled with Kerberos support.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWzyeVUuHi5z0oilAQFJEwP/ZaecQhuSYfdR4ckwsDtGF86AvmRuqkTo
8A55zz2DeBUPKAVrvJAEuzM15zEL4+w+dofCep9gMAPWlgpNoNHRs4H3BLUjMiXc
UpFgKDYtY/gwYXZKOLVbe4as++G2Polk+oQXrRItV1LGKbjrtjuozPRGmkwCYwOk
/rUWX1tCNLI=
=ysen
-----END PGP SIGNATURE-----
